The Ransomware Threat – Panicking Doesn’t Help

Last Friday we saw what seemed an attack on the NHS. However, as events unfolded, this was far from being a targeted effort on NHS.

The attack was at a global scale, but with no particular target in mind. It infected individual users with a particular ransomware dubbed The WannaCry virus. What it did was lock users out from their own files unless a payment was made or the fee increases as time passes. It only affected users of Microsoft Windows.

As the dust starts to settle on the initial rapid rate of infection of the virus, it has given us all a strong wake up call. Whilst the spread of the virus has seemed to of slowed down, this doesn’t mean we’ve all dodged the bullet and can start lower our guards – it is far from that.

It is perhaps no more relevant than ever to remind ourselves why we need to think about our computer security, the simple things we can do to help mitigate our risks.

We thought we’ll put together an easy to follow breakdown on some of the simple things you could do to help protect yourself, things to be aware of and myths debunked to put your mind at ease.

Email Security

This one might be obvious, but you would be surprised how many still fall foul of basic email security measures.

Give out your address sparingly and only to sites that you trust – or use a secondary email.

If you need to sign up to a site you’ve never heard of before, consider using a secondary email that you have created specifically for things like this. This keeps your primary email securely apart from the less secure sign up emails, and protects the user against the hacking of the sign-up lists.

The best practice way to do this is to sign up for a free email account through Google, Yahoo, or another free email service.

Phishing Awareness – never click on a link you don’t recognise

Email Phishing is one of the most successful tools used by cyber criminals and is responsible for about 91% of successfully targeted attacks.

Phishing emails tend to emphasise a level of urgency for a user to click on a link or open an attachment. These typically purports to be a CEO, bank or a high street retailer you use.

Before rushing to take action, take note of the email you have received this from. Notice any spelling mistakes, bad use of grammar and any language to indicate that this would not come from a professional organisation.

It wouldn’t hurt to take a moment to obtain the official phone number of the organisation in question. You can do this by searching them online, finding their official website and calling up. You’ll quickly find out if this was a genuine email or not.

In general, never click on a link in an email or download attachments from any sources that you don’t fully recognise. If you’re unsure, best left unclicked is our advice.

Updates and patches

Updates and patches are there for a reason. With every release comes a close in some gap in the security or flaw in the system.

Keep your Windows operating system up to date

The first important step is to check if you have the latest security updates and patches available for your Windows operating system.

Click on your start button and type in “Windows Updates” in the search bar. Click on the link for Windows Update Settings

The next screen will let you know if there is an update available or if you are up to date

Click on change active hour

Select “Download and install updates automatically”

Antivirus

An antivirus solution should always be a staple of your overall security measures. No computer should ever be without one, not even Macs.

Despite this, even with the best possible configurations, there are a number of ways in which the antivirus software can be bypassed.

Here is our recommended checklist for your antivirus program.

Deploy Tamper Protection using a strong, complex password. If using user credentials (for example, a Domain User account), configure the password to be complex and lengthy. The Password you use should not be used for anywhere else.

Limit the number of exclusions per deployment policy and be precise with file paths. Avoid using wildcards unless absolutely necessary (for example, with a database directory). In addition, too many exclusions will likely cause performance issues with the antivirus software.

Deploy individual policies per server or at the very least, per server role.

Enable on-access or real-time scanning. Ensure that heuristic scanning is also enabled.

Perform a full system scan regularly. You can’t rely only on ‘on-access’ scanning. The full system scan should also include ‘on-access’ excluded locations. Exclusions are often used by attackers (or penetration testers) as drop-points.

If possible, enable alerts for any detections from scanning and create email groups so that the security teams and support desks are notified as it happens. Some products allow different alerts based upon whether a system is infected once, re-infected, or if an outbreak occurs.

Ensure that logging is configured with appropriate alerting to the IT team. Should the antivirus software be disabled, or a virus has been detected, then a follow-up process should commence without delay.

Keep the antivirus database definitions up to date. The latest definitions and signatures should be applied as soon as possible after they are released from the AV vendor. Updates to the AV engine itself should be tested prior to full deployment in case any compatibility issues could arise.

Restrict external media such as USB sticks and other storage devices from being accessible if the endpoint software gives you that functionality. Prevent ‘write’ permissions in order to reduce the risk of data loss and restrict any read permissions. This will prevent external data or files, which could harbor any malware, from being brought into the internal network.

Configure different policies for mobile devices, laptops and tablets based on their location. This is so you can enforce a stricter environment when the user is out and about. It’s recommended to increase the scheduled scans so that quick scans are performed every two hours, with at least one full scan per day if an ‘external’ or ‘out-of-office’ policy is in use, along with completely restricting USB and external media access.

Have a backup plan

A solid and tested backup strategy is one of the key elements of recovering after any attack. Regular backups are vital against a data-loss catastrophe.

Understanding On-Premises and Remote Backup

There are two broadly defined approaches to backup: on-premises backup and remote backup. Either route (or both) may be appropriate for your business.

On-premises backup

In an on-premises setup, you can copy your data to a second hard drive, other media, or a shared drive, either manually or at specified intervals.

With this setup, all the data is within your reach — and therein lies both its value and its risk. You can always access your information when necessary, but that information is vulnerable to loss, whether through theft (someone breaking in and stealing equipment) or damage (such as a leaky water pipe or a natural disaster).

Remote backup

With a remote backup, your computer automatically sends your data to a remote site at specified intervals.

To perform a backup, you simply install the software on every computer containing data you want to back up, set up a backup schedule, and identify the files and folders to be copied.

The software then takes care of backing up the data for you.

With remote backup solutions, you don’t incur the expense of purchasing backup equipment, and in the event of a disaster you can still recover critical data. This makes remote backup ideal for companies that need to back up critical information but lack the equipment, expertise, or inclination to set up dedicated on-site storage.

The main downside to remote backup solutions is that Internet access is required to fully restore your backed-up data. If your Internet connection goes down (as may happen in a disaster scenario), you won’t be able to restore from your backups until your Internet connection is restored.

Use a Firewall

Firewalls guards your online communications and makes sure that suspicious or unauthorised programs cannot access your computer without consent. Having a firewall can help prevent a ransomware virus from entering the system in the first place.

Like with everything, it is very important that you keep your firewall updated at all times so that you can protect yourself from the latest methods of attack.

Also, make sure not to approve any suspicious files from bypassing your firewall security and entering your system.

Best practices for firewall:

Document all firewall rule changes – whilst this sounds like a no-brainer, firewalls do not have a change management process built in. It is important for you to document the changes yourself

Create all access rules with minimal access rights. Another common security issue is overly permissive rules.

Remove unused rules from the firewall rule bases when services are decommissioned – This is more common than you think. Businesses are great at letting you know they need new rules, but they never let the firewall team know they no longer need a service.

Review your firewall at least once a year – Firewall reviews also are a critical part of the maintenance of your firewall rule base. Your networks and services are not static so your firewall rule base should not be either.

Final Words….

Paying the ransomware would not guarantee its removal from the system. If anything, it creates more problems than it solves them.

Unfortunately, by doing this, you will only be playing into the hands of the attackers demands. It will only encourage them to develop more ransomware viruses like this more in the future, or they could even come back to you having being identified as a vulnerable target.

It’s not clear at the moment when The WannaCry ransomware will disappear, but one thing we know is that this will not be the only virus of it’s kind.

It is important for us to mention at this point that, whilst doing the above will help protect you from threats online, it doesn’t mean you’re covered 100%. If anyone was determined enough to target someone, they will. By onboarding our advice and taking the actions above, you have at least made yourself a whole lot more difficult to be targeted.